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Abstract: 


"  The  paper  explores  the  three  itnportant  classes  of  temporal  properties  of  concurrent  programs: 
invariance,  liveness  and  precedence.  It  presents  the  first  methodological  approach/to  the  precedence 
properties,  while  providing  a  review  of  the  invariance  and  liveness  properties/  The  approach  is 
based  on  the  unless  operator  u,  which  is  a  weak  version  of  the  until  operator  For  each  class  of 
properties,  wc  present  a  single  complete  proof  principle.  Finally,  we  show  that  the  properties  of 
each  class  are  decidable  over  finite  state  programs. 


1.  INTRODUCTION 


In  studying  temporal  properties  of  programs,  i.c.,  properties  that  go  beyond  partial  correctness, 
an  obvious  hierarchy  of  such  properties  can  be  developed.  One  way  of  classifying  the  different  sets 
in  this  hierarchy  is  by  the  syntax  of  the  temporal  formulas  expressing  them. 

The  first  set  in  this  hierarchy  is  the  class  of  invariance  properties  (safety  in  the  terminology 
of  (LI)).  These  are  the  properties  that  can  be  expressed  in  terms  of  a  formula  of  the  form: 

□  ^  or  <p  D  Dip. 

A  formula  of  the  first  form,  stated  for  a  program  P,  says  that  every  computation  of  P  continuously 
satisfies  In  the  case  of  the  second  form,  the  formula  says  that  whenever  <f>  is  true,  tf>  is  im¬ 
mediately  realized  and  will  hold  continuously  throughout  the  rest  of  the  compulation.  1’ropcrlica 
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falling  into  this  class  include  partial  correctness,  clean  behavior  (error  freedom),  mutual  exclusion, 
and  deadlock  absence.  * 

The  second  set  in  the  hierarchy  of  properties  is  the  class  of  liveneaa  properties  (eventualities 
in  the  terminology  of  (MPtJ).  These  are  properties  that  are  expressible  by  temporal  formulas  of 
the  form: 


Or/)  o£  ip  D  Or/>. 

In  both  forms  these  formulas  guarantee  the  occurrence  of  some  event  r/),  in  the  first  case  uncondi¬ 
tionally  and  in  the  second  case  conditionally  on  an  earlier  occurrence  of  the  event  <p.  Among  the 
properties  falling  into  this  class  are:  total  correctness,  termination,  accessibility,  lack  of  individual 
starvation,  and  responsiveness. 

While  most  of  the  researchers  in  the  field  tend  to  agree  that  these  two  classes  arc  the  first 
two  rungs  in  a  natural  hierarchy,  there  is  less  of  a  consensus  about  what  should  be  the  next  step 
in  the  hierarchy.  In  previous  work  we  have  proposed  that  the  next  class  to  be  studied  is  that 
of  precedence  properties.  In  a  broad  sense,  precedence  properties  are  all  the  properties  that  are 
expressible  using  the  until  operator  U.  To  remind  the  reader,  the  expression  pU<7,  read  “p  until  q” , 
means  that  eventually  q  must  happen  and  between  now  and  then  p  must  continuously  hold. 

A  more  mathematical  formulation  of  this  definition  is  given  by: 

Let  a  =  s0,  sj,  sj,  . . .  be  a  sequence  of  states,  then  pMq  is  true  for  a  if  there  exists  a  j  >  0 
such  that: 


q  is  true  for  the  sequence  «y,  8y+i,  sJ+2»  ■  •  • 

(if  q  is  a  state  property  then  q  holds  at  ay),  and  for  every  »,  0  <  i  <  j: 
p  is  true  for  the  sequence  8<,  «t+i,  s»+2,  •  •  • 

(if  p  is  a  state  property  then  p  holds  at  a,).  Here,  a  state  property  is  a  property  that  depends  only 
on  the  state  and  not  on  the  full  sequence.  Note  that  in  the  special  case  that  j  =  0,  then  q  is  true 
on  a  and  no  requirements  for  p  are  implied. 

A  derived  operator  is  the  precede  operator  P  that  can  be  defined  by: 
p?q  =  ~((~p)Uq). 

The  meaning  of  this  operator  is  that  “p  precede  q”,  i.c.,  ir  q  ever  happens  it  cannot  happen  unless 
p  occurs  first  (strictly  before  q).  In  contrast  to  pU<7  which  requires  that  q  eventually  happens,  pPq 
is  automatically  satisfied  if  q  never  happens. 

We  often  use  nested  until  expressions  of  the  form 
PlU(p2U(p3ll  •  •  •  (p*ll<7)...)), 

where  p\,  ...  ,p*,g  are  state  properties,  i.c.,  formulas  dependent  only  on  the  state  and  containing 
no  temporal  operators.  I3y  careful  examination  of  the  semantic  definition  of  the  until  operator 
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we  arrive  at  the  interpretation  that,  stnted  at  t o,  this  expression  means  that  there  exist  instants 
tit  • •  • » tk, 

to  <tx<t2<  ...  <tkl 

such  that: 

pi  holds  in  every  t,  to  <  t  <  ti 
Pa  holds  in  every  t,  tx  <  t  < 

p*  holds  in  every  t,  tk-i  <  t  <  tk,  and 
q  holds  in  tk. 

Thus,  this  expression  predicts  a  period  of  continuous  pi  followed  by  a  period  of  continuous  pg, 
and  so  on,  until  a  period  of  continuous  pk,  followed  by  an  occurrence  of  q.  Note  that  any  of  these 
periods  may  be  empty  by  having  t,  =  L+i  for  an  empty  (t  +  l)st  period. 

Since  we  arc  interested  only  in  nested  until  expressions  where  the  nesting  is  in  the  second 
argument,  wc  can  omit  the  parentheses  and  represent  the  expression  above  by: 

PiUp2Up3...p*U?. 

The  class  of  precedence  properties  that  we  consider  are  therefore  formulas  of  one  of  the  forms: 
p  D  (qPr)  —  a  precede  formula 
P  D  (piUpall . . .  pfcUg)  —  an  until  formula. 

Several  interesting  properties  fall  into  the  broad  class  of  precedence  properties. 


Example: 

Let  us  consider  a  program  G  (granter)  serving  as  an  allocator  of  a  single  resource  between 
several  processes  (requesters)  R\ ,  ...,/?*  competing  for  the  resource.  Let  each  11%  communicate 
with  G  by  means  of  two  boolean  variables:  r+  and  p,-.  The  variable  r*  is  set  to  true  by  the  requester 
Ri  to  signal  a  request  for  the  resource.  Once  Ri  has  the  resource  it  signals  its  release  by  setting 
r,  to  false.  The  allocator  G  signals  /?,  that  the  resource  is  granted  to  him  by  setting  p,  to  true. 
Having  obtained  a  release  signal  from  /?,,  which  is  indicated  by  r,-  =  false,  some  time  later,  it  will 
reappropriate  the  resource  by  setting  &  to  false. 

Several  obvious  and  important  properties  of  this  system  belong  to  the  invariance  and  livcncss 
classes.  For  instance,  the  property 

ensuring  that  the  resource  is  granted  to  at  most  one  requester  at  a  time,  is  an  invariant  property. 
In  summing  boolean  variables  we  treat  true  as  1  and  false  as  0.  Similarly,  the  important  property 

U  3  Ogi, 
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which  ensures  responsiveness,  is  a  liveness  property.  It  guarantees  that  every  request  ry  will 
eventually  be  granted  by  setting  gy  to  true. 

Let  us,  however,  consider  some  precedence  properties  which  arc  relevant  to  the  specification 
of  such  a  system.  ■  "  . 

(а)  Absence  of  Unsolicited  Response. 

■  .*  t  i 

•An  important  <but: often  overlooked  desired  feature  is  that  the  resource  will  not  be  granted  to 
a  party  who  lias  not  requested  it.  (A  similar  property  in  the  context  of  a  communication  network  is 
that  every  giessagc  received  musOiaVe  been  sent  by  somebody.)  This  is  expressible  by  the  temporal 
formula  •  "  i 

~ff»  3  M&)- 

The  formula  states  that  if  presently  g ,  is  false,  i.c.,  Ry  does  not  presently  have  the  resource,  then 
before  the  resource  will  be  granted  to  Ry  the  next  time,  Ry  must  signal  a  request  by  Betting  ry  to 
true. 

(б)  Strict  (FIFO)  Responsiveness. 

Sometimes  the  weak  commitment  of  eventually  responding  to  a  request  is  not  sufficient.  At 
the  other  extreme  we  may  insist  that  responses  arc  ordered  in  a  sequence  parallelling  the  order  of 
arrival  of  the  corresponding  requests.  Thus  if  requester  Ry  succeeded  in  placing  his  request  bcfo.e 
requester  Ry  the  grant  to  Ry  should  precede  the  grant  to  Ry.  A  straightforward  translation  of  this 
sentence  yields  the  following  intuitive  but  slightly  imprecise  expression: 

M»v)  O  (gtPgy). 


A  more  precise  expression  which  also  better  conforms  to  the  general  form  of  the  class  of 
properties  wc  discuss  in  this  paper  is: 

(r»  A  ~rj  A  ~ffj)  3  (~gyUg,). 

It  states  that  if  wc  ever  find  ourselves  in  a  situation  where  ry  is  presently  on,  and  ry  and  gy  are 
both  off,  then  we  are  guaranteed  to  eventually  get  a  gy,  and  until  that  moment,  no  grant  will  be 
made  to  Ry.  Note  that  ry  A  ~ry  implies  that  Ry's  request  preceded  Ry'a  request,  which  has  not 
materialized  yet.  Wc  implicitly  rely  here  on  the  assumption  that  once  a  request  has  been  made  it 
is  not  withdrawn  until  the  request  has  been  honored. 


This  assumption  can  also  be  made  explicit  as  part  of  the  specification,  using  another  precedence 
expression: 

ry  3  g,P(~r<). 

Note  that  while  all  the  earlier  properties  are  requirements  from  the  gran  ter,  and  should  be  viewed 
as  the  “post-condition”  part  of  the  specification,  this  requirement  is  the  responsibility  of  the  re¬ 
questers.  It  can  be  viewed  as  part  of  the  “pre-condition”  of  the  specification.  Without  this 
assumption,  we  could  not  hope  to  implement  the  granlcr  in  any  reasonable  way,  since  it  would 
have  to  respond  to  very  short  and  intermittent  requests. 


4 


(c)  Bounded  Overtaking. 

The  requirement  of  FIFO  responsiveness  may  sometimes  be  too  restrictive  and  difficult  to 
implement.  Any  program  for  the  allocator  that  scans  the  requests  in  a  certain  polling  order, 
rii  . . .  ,r*  and  then  back  to  tq  may  respond  to  requests  in,  say,  the  order  of  their  detection  by  the 
program.  This  order  may  be  different  from  the  arrival  order.  A  more  realistic  requirement  would 
allow  deviations  from  the  FIFO  discipline,  provided  they  are  bounded.  For  example  1-boundcd 
overtaking  would  say  that  for  every  *  and  j  such  that  r,  preceded  ry,  we  may  allow  g,  to  precede 
ft-  at  most  once.  FIFO  responsiveness  may  then  be  regarded  as  0-bounded  overtaking.  In  order 
to  express  i-bounded  overtaking  we  have  to  use  nested  until  expressions. 

The  1-ovcrtaking  property  can  be  expressed  by  a  nested  until  expression: 


(r»  A  ~ry)  3  (~ffy)UpJU(~gy)Ug<. 


This  expression  predicts  a  period  in  which  Rj  does  not  have  the  resource,  followed  by  a  continuous 
period  in  which  Rj  has  got  the  resource,  followed  by  a  period  in  which  Rj  does  not  have  the 
resource,  followed  by  a  grant  of  the  resource  to  R,.  Since  any  of  these  periods  may  be  empty, 
the  formula  actually  states  that  in  the  worst  case,  Itj  may  gain  the  resource  at  most  once  before 


Proofs  of  invariance  properties  for  concurrent  programs,  have  been  extensively  discussed  in 
the  literature  (c.g.,  [OCJ,  [K],(L1],  |MP2]).  Fewer  suggestions  have  been  made  for  approaches  to 
proving  liveness  properties  (c.g.,  |OL],  (MP2),  (MP3)). 

In  this  work  we  address  the  problem  of  verifying  properties  of  the  precedence  class.  Our  main 
conclusion  is  that  the  verification  of  precedence  properties  does  not  call  for  radically  new  ideas  and 
can  actually  be  viewed  as  a  generalization  of  the  approaches  suggested  for  invariance  and  livencss 
properties.  In  fact,  precede  formulas  are  in  many  respects  generalization  of  invariance  properties, 
whereas  until  formulas  can  be  established  by  a  generalization  of  the  proof  principles  for  livencss 
properties. 

To  provide  a  proper  framework,  we  first  introduce  an  abstract  operational  model  of  concurrent 
programs.  We  then  outline  a  proof  system  based  on  temporal  logic;  the  system  has  been  shown 
in  [MP5]  to  be  relatively  complete  for  proving  all  properties  of  concurrent  programs.  We  then 
discuss  some  derived  proof  principles  that  are  tailored  directly  for  the  verification  of  precedence 
properties.  The  utility  of  these  principles  is  demonstrated  by  proving  several  examples. 


2.  A  COMPUTATIONAL  MODEL 

We  start  by  defining  an  abstract  computational  model;  the  temporal  logic  properties  will  be 
stated  and  proven  for  computations  over  this  model. 

The  abstract  model  consists  of  the  following  elements: 

$  —  A  set  of  computation  states.  This  is  a  possibly  infinite  set.  Every  clement  s  €  S  represents 
the  full  configuration  of  the  computing  system;  Tor  concrete  programs  each  state  includes 
the  values  of  all  the  program  variables  as  well  as  the  program  pointers  for  alt  the  processes. 
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0  —  The  initiality  predicate.  We  will  only  consider  compulations  originating  in  a  state  so  such 
that  0(ao)  holds. 

T  —  A  finite  set  of  franstftons.  With  each  transition  r  6  f  we  associate  a  partial  function 
/r  :  S  — ♦  2s,  where  fT(s)  yields  all  the  possible  outcomes  of  the  transition  r  on  the  state 
a  £  S.  A  transition  r  €  T  is  said  to  be  enabled  on  a  state  s  if  fr(s)  £  <f>;  otherwise  it  is 
called  disabled  on  s.  A  state  a  such  that  no  transition  r  6  T  is  enabled  on  it  is  called 
terminal. 

J  —  The  justice  family.  This  is  a  (possibly  empty)  family  of  sets  of  transitions  J  =  {T/,  . . . ,  Tjf}. 
Each  set  in  J,  T/  C  T,  is  called  a  justice  set  and  a  justice  requirement  defined  below  is 
to  be  applid  to  the  set  T/. 

7  —  The  fairness  family.  This  is  a  (possibly  empty)  family  of  sets  of  transitions  7  = 
{Tf,  . . . ,  T[}.  Each  set  in  7,  Tj  C  T,  is  called  a  fairness  set  and  a  fairness  requirement 
is  to  be  applied  to  TF . 

An  initialized  computation  of  such  a  system  is  a  sequence  of  states  with  labelled  transitions: 
n  t2  r3 

o  :  so - >  «i - »  - > . . .  where  r,  6  T, 

which  satisfies  the  following  requirements: 

•  Maximally.  The  sequence  a  is  maximal,  i.e.,  either  it  is  infinite  or  the  last  state  sk  is 

terminal. 

•  Initiality.  The  first  state  s0  satisfies  the  initiality  predicate,  i.e.,  0(«o)  =  true. 

T,+i 

•  State-to- State  transition.  For  each  step  8, - in  o  we  have  that  «i+i  6  /Ti+1(s»)- 

•  Justice.  For  each  TJ  €  J  we  impose  a  justice  requirement 

•  o  is  finite,  or 

•  a  is  infinite  and  contains  an  infinite  number  of  states  on  which  no  transition  in 

TJ  is  enabled,  or 

•  an  infinite  number  of  cr-steps  are  labelled  by  transitions  in  TJ . 

This  corresponds  to  the  notion  that  ir  for  all  states  from  a  certain  point  on,  some  transition 
in  TJ  (not  necessarily  always  the  same)  is  always  enabled,  then  some  transition  of  TJ 
will  be  taken  infinitely  many  times. 

•  Fairness.  For  each  TF  6  7  we  impose  a  fairness  requirement 

•  o  is  finite,  or 

•  o  is  infinite  and  from  a  certain  point  on  no  transition  of  TF  is  enabled,  or 

•  some  transition  of  TF  is  taken  infinitely  many  times. 

This  corresponds  to  the  notion  that  if  some  transitions  from  TF  are  enabled  infinitely 
many  times  then  some  transitions  from  TF  arc  activated  infinitely  many  limes. 
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An  admissible  computation  is  any  suffix  of  an  initialized  computation. 

When  considering  a  concrete  computational  system,  we  have  to  identify  the  five  elements 
described  above  with  more  concrete  objects.  Since  our  example  is  based  on  a  shared-variables 
computational  model,  we  proceed  with  such  identification  for  the  shared-variables  system.  Such  a 
system  has  the  form: 

V  ■■=  9{xY>  [A  II  •  •  ■  II  A»l, 

where  y  —  ( y\ ,  . . .  ,yn)  are  the  program  (shared)  variables,  x  =  (zi,  . . .  ,z/)  arc  the  input  vari¬ 
ables,  and  Pu  ...  ,Pm  arc  the  concurrent  processes  of  the  program.  Each  P,  is  represented  by  a 
transition  graph  with  nodes  (locations)  L,  =  (/J,,  . . .  ,/j)  and  directed  edges  E,  =  {ej,  ...  ,  e*}. 
The  locations  Iq  are  the  entry  locations  of  Pi,  respectively.  Each  edge  e  6  E,  is  labelled  by  an 
instruction:  _  _ 

ce(y)  I V  •=  fc*1 

e 

whose  meaning  is  that  when  ce(y)  is  true,  execution  may  proceed  from  Lt  to  lt  while  assigning 
the  values  hc(y)  to  the  variables  y.  Special  cases  are  the  semaphore  instructions  request(y )  and 
releaae(y),  equivalent  to  (y  >  0)  — »  \y  :=  y  —  1]  and  true  — *  \y  :=  y  +  1),  respectively.  We  refer 
the  reader  to  [MP1]  For  a  more  detailed  discussion  of  these  models. 

A  program  state  for  this  system  has  the  form: 

(P,  ...,rn;  rji,  ...,»?„), 

where  each  P  €  Li  denotes  the  current  location  of  the  execution  in  the  process  Pit  and  each 
tjy  €  D  is  the  current  value  of  the  program  variable  y,-.  (The  variables  y  are  assumed  to  range 
over  some  domain  D.)  Thus  we  identify  the  set  of  all  states  S  as  the  set  of  all  (m  +  n)-tuples 
{Ei  x  •  •  •  x  Lm  x  Dn). 

The  initiality  predicate  is  given  by: 

0{l\  . . .  ,r*;  y)  :  [/\(r  =  ro)]  A  (y  =  g(x)) 

»=i 

ensuring  that  all  the  processes  are  at  their  initial  locations  and  the  values  of  the  program  variables 
are  properly  initialized. 

The  set  of  transitions  T  is  identified  with  the  set  of  all  edges  For  r  =  e  €  A  we 

define 


e  /,(*',  ...,r*;  rj) 

if  and  only  if 

P  =  lt,  P  =  it,  t*  =  0  for  every  j  #  i  ,  ct{rj)  =  true  and  tj  —  h,{tj). 


The  justice  family  is  given  by: 
J  =  {Ei,  ...,Em}-, 
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that  is,  wc  require  that  justice  be  applied  to  each  process  individually.  This  implies  that  in  any 
infinite  computation,  each  process  that  has  not  terminated  yet  will  eventually  be  scheduled. 

The  fairness  family  is  given  by: 

1  =  {{e}  |  e  is  labelled  by  a  request{y)  instruction}. 

Thus,  each  semaphore  transition  is  to  be  individually  treated  fairly.  This  implies  that  a  requeat{y) 
instruction  which  is  waiting  while  y  turns  positive  infinitely  many  times  must  eventually  be  per¬ 
formed. 

In  considering  computations  of  a  program  as  models  for  temporal  formulas  that  express  prop¬ 
erties  of  the  program,  we  define  the  model  3  corresponding  to  a  sequence  o, 

ri  r2  t3 
o  :  so - >  - >  82 - * . . . , 

as  follows:  If  o  is  infinite  then  the  corresponding  model  is 

b  :  80,  81,  . . 

In  the  case  that  o  is  finite  and  its  last  state  is  the  terminal  state  s*,  wc  takp  d  to  be 

O’:  80,  8,,  ...,8k,  8/ct  •••  1 

that  is,  the  last  state  repeats  forever. 


3.  THE  PROOF  SYSTEM 

The  proof  system  consists  of  three  parts. 

•  Part  A,  called  the  general  part,  formalises  the  pure  temporal  logic  properties  of  sequences 

in  general.  It  is  completely  independent  of  the  particular  program  analyzed. 

•  Part  B,  called  the  domain- dependent  part,  formalizes  the  properties  of  the  domain  over 

which  the  program  operates,  such  as  integers,  reals,  strings,  iists,  trees,  etc. 

•  Part  C  is  the  program- dependent  part.  It  provides  a  formalization  of  the  properties  that 

result  from  restricting  our  attention  to  the  computational  sequences  of  the  particular 
program  being  analyzed. 

Wc  refer  the  reader  to  [MP4],  [MP5]  for  a  discussion  of  parts  A  and  B.  Here  wc  only  repeat 
part  C  which  wc  further  develop  in  order  to  prove  precedence  properties. 

The  program-dependent  part  consists  of  four  axiom  schemes  corresponding  to  the  four  re¬ 
quirements  imposed  on  admissible  computations.  In  the  following,  a  state  formula  is  a  formula 
containing  no  temporal  operators  and  hence  interpretable  on  a  single  state. 

Let  ip  and  rj>  be  two  state  formulas.  We  say  that  a  transition  r  leads  from  <p  to  1})  if  for  every 
two  states  8  and  s'  the  following  is  true: 

ip(s)  A  (s'  €  /T(s))  V(*')- 
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Note  that  this  formula  is  classical,  i.e.,  contains  no  temporal  operators  and  should  be  expressible 
and  provable  in  the  first-order  theory  over  the  domain.  v 

For  example,  in  the  case  of  the  shared- variables  computation  model  a  transition  r  would 
correspond  to  an  edge  e  in  some  process  P,-: 

c{y)  —  \y  ~  My) ) 

so  that  the  condition  above  is  expressible  as 

y>(P,...,P,.. y)  A  c[y)  =>  /*(»))• 

Given  a  subset  of  transitions  T'  C  T,  we  say  that  T'  leads  from  <p  to  rjr  if  every  transition 
t  eT'  leads  from  <p  to  ip.  If  the  full  set  T  leads  from  <p  to  ip,  we  also  say  that  the  program  P  leads 
from  <p  to  ip. 

The  state  formula  Terminal,  characterizes  the  terminal  states: 

Terminal (s)  =  ^(/T(s)  =  <!>)■ 

rer 

Also,  for  a  subset  T'  of  transitions,  the  state  formula  Enabled  characterizes  the  enabled  transitions 
in  V: 

Enabled(T')(s)  =  \/  (/T(s)  fr  <P\. 

rgT' 

Both  formulas  arc  expressible  by  a  quantifier-free  first-order  formula. 

Following  arc  the  inference  rules  of  the  program  part: 

(INIT)  For  an  arbitrary  temporal  formula  w 
F  0  D  Ow 
F  Dta 


This  rule  states  that  if  to  is  an  invariant  for  all  initialized  computations  it  is  also  an  invariant 
for  all  admissible  computations.  This  is  because  every  admissible  computation  is  a  suffix  of  an 
initialized  computation,  and  a  property  of  the  form  □  w  is  hereditary  from  a  sequence  to  all  of  its 
suffixes. 

(TUNS)  bet  <p  and  ip  be  two  state  formulas 

F  livery  t  G  T  leads  from  <p  to  ip 
F  [<p  A  Terminal)  D  ip 

F  <p  D  O  ip 


The  first  premise  ensures  that  as  long  as  at  least  one  transition  is  enabled,  then  if  the  current 
state  satisfies  ip,  the  next  state  must  satisfy  ip.  The  second  premise  handles  the  ease  that  all 
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transitions  are  disabled,  i.e.,  that  of  a  terminal  state.  In  a  computation  this  means  that  no  further 
action  is  possible  and  the  next  state  is  identical  to  the  present.  Hence  this  premise  also  ensures 
that  in  such  a  case  the  next  state  will  satisfy  ip. 


(JUST)  Let  <p  and  ip  be  two  state  formulas,  and  TJ  6  J  a  justice  set 
h  Every  t  6  T  leads  from  <p  to  <p  V  ip 
I-  Every  t  eTj  leads  from  <p  to  ip 

h  \<p  A  □  Enabled(TJ)\  D  <p\iip 


To  justify  this  rule,  consider  a  computation  a  such  that  <p  A  F3  Enabled(TJ)  holds  for  a  but 
does  not  hold.  By  the  first  premise,  once  <p  holds  it  can  only  stop  holding  when  ip  happens. 
Hence  <p\[ip  may  fail  to  hold  only  if  ip  never  happens  and  <p  is  true  forever.  Since  we  assumed  that 
TJ  is  continuously  enabled  on  a,  some  transition  in  TJ  must  eventually  be  activated,  and  this  in 
a  state  satisfying  <p.  Hence,  by  the  second  premise,  once  this  transition  is  activated,  it  achieves  ip, 
contrary  to  our  assumption. 

A  similar  rule  applies  to  fairness: 

- - - - - - - -  1 

(FAIR)  Let  ip  and  ip  be  two  state  formulas,  and  TF  6  7a  fairness  t 

h  Every  r  6  T  leads  from  <p  to  ip  V  ip 

1-  Every  r  6  TF  leads  from  <p  to  ip 

h  [<p  A  \3  0  Enabled(TF)}  D  <p\iiP 


The  justification  is  similar  to  that  of  the  JUST  rule. 

In  the  following  discussion  we  will  consider  computations  only  under  the  assumption  of  justice. 
This  amounts  to  considering  an  empty  fairness  family  7  —  <p.  In  the  shared-variables  computation 
system  this  means  that  we  consider  programs  without  semaphores.  The  rcintroduction  of  fairness 
to  the  following  analysis  can  be  done  in  a  straightforward  manner. 

In  [MP5]  the  set  of  the  rules  above  has  been  shown  to  be  relatively  complete.  By  this  we 
mean  that  an  arbitrary  property  which  is  valid  for  a  given  program,  can  be  proved  using  these 
rules,  provided  the  pure  logic  and  domain  dependent  parts  are  strong  enough  to  prove  all  valid 
properties.  This  result  implies  that  the  program  dependent  part  is  adequate  Tor  establishing  all 
the  properties  that  are  true  for  admissible  computations.  However,  while  giving  full  generality, 
these  rules  do  not  provide  specific  guidance  for  proving  properties  of  the  three  important  classes 
that  we  have  discussed:  invariance,  livcncss  and  precedence. 

We  will  proceed  to  develop  derived  rules,  one  for  each  class.  These  rules,  while  being  derivable 
in  the  general  system,  have  the  advantage  of  being  complete  for  their  classes.  By  this  we  mean, 
that  every  valid  property  in  the  class  can  be  proved  using  a  single  application  of  the  proposed  rule 
as  the  only  temporal  step.  All  the  premises  to  the  rule  are  first-order  over  the  domain.  Thus,  For 
anyone  who  is  interested  only  in  proving  properties  of  these  classes,  the  respective  rules  arc  the 
only  temporal  proof  rules  he  may  ever  need,  dispensing  for  example  with  the  general  temporal 
logic  part. 
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Wc  will  illustrate  these  rules  on  a  single  example  an  algorithm  for  mutual  exclusion  (Fig. 
0)  —  take  a  from  (Pc).  The  program  consists  of  two  concurrent  processes,  P\  and  Pi  that  compete 
on  the  access  to  their  critical  regions,  presented  by  I3  and  m3  respectively.  Entry  into  the  critical 
regions  is  expected  to  be  exclusive,  i.e.,  at  no  time  can  Pi  be  at  I3  while  at  the  same  time  Pi  is 
at  m3.  The  processes  communicate  by  means  of  the  shared-variables  y\,yi,t.  Process  Pi  sets  j u 
(»  =  1,2)  to  T  whenever  he  is  interested  in  entering  his  critical  region.  lie  then  proceeds  to  set 
t  to  t.  Following,  he  reaches  a  waiting  state  (£2  or  m2,  respectively).  There  he  waits  until  either 
j/r  =  F  (here  i  is  the  competing  process,  i.e.,  1  =  2  and  2  =  1)  or  t  =  i.  In  the  first  case  he  infers 
that  the  competitor  is  not  currently  interested.  In  the  second  case  he  infers  that  P  is  interested 
but  has  arrived  to  his  waiting  state  after  l\  did,  since  Pr  was  the  last  lo  set  t  to  1.  In  any  of  these 
cases  Pi  enters  his  critical  region.  Once  he  finishes  his  business  there  he  exits  while  setting  j/,-  to 
F,  indicating  loss  of  interest  in  further  entries  for  the  present. 

This  description  is  of  course  intuitive  and  informal.  The  following  discussions  will  provide 
more  formal  proofs  of  the  correctness  of  the  algorithm. 


4.  INVARIANCE  PROPERTIES 

A  single  rule  which  is  complete  for  this  class  is: 


(INV)  —  Invariance  Rule 

Let  <p  and  ip  be  state  properties 

A.  P  9  3  ip 

B.  P  Every  ref  leads  from  <p  lo  ip 

C.  P  <p  O  ip 

P  Dt p 


A  slightly  more  elaborate  rule  can  similarly  be  used  to  establish  properties  of  the  form  <p  D  Dip. 

Since  the  rule  is  derivable  from  the  INIT  and  TRNS  rules  above,  it  is  certainly  sound. 

To  argue  that  it  is  complete  for  properties  of  the  form  DV1)  let  ip  be  a  state  property  such 
that  □  ip  is  true  for  all  computations.  Define  the  predicate: 

Tj  Ti  Tjfc 

Acc(a)  =  {There  exists  an  initialized  computation  segment  80  — >81  — ». . . — >sk  =  a}. 

Thus,  Aco(s)  is  true  for  a  state  s  i(T  there  exists  an  initialized  computation  having  a  as  one  of 
its  states.  We  have  defined  /tcc(a)  in  words  rather  'ban  by  a  formula;  however,  if  the  underlying 
domain  is  rich  enough  to  contain,  say,  the  integers,  then  this  predicate  is  expressible  by  a  first-order 
formula  over  the  domain. 

We  now  apply  the  INV  rule  with  <p  =  Acc.  Certainly  0  D  Acc,  since  every  state  so  satisfying 
9  participates  in  a  computation:  80  — »  »i  -+  ...  •  It  is  also  easy  to  sec  that  if  a  is  accessible 
and  a'  €  /T(s)  then  a'  is  also  accessible.  This  establishes  premise  B.  Premise  C  says  that  every 
accessible  state  satisfies  ip,  but  this  follows  from  our  assumption  that  Clip  is  true  on  all  admissible 
compulations.  Consequently  the  INV  rule  is  always  applicable. 
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Let  us  consider  some  invariance  properties  for  the  mutual  cxclusiion  program  (Fig.  Ojjirescnted 
above.  I0  :  h  □  ((!  =  1)  v  (t  =  2))  " 

Note  that  For  this  program 

0:  at t0  A  atm0  A  [(yi.Va, 0  =  (F,F,  1)|. 

Take  <p  =  ij)  =  (t  =  1)  V  (t  —  2).  It  is  easy  to  verify  that  0  D  <p  since  0  implies  t  =  1. 
Similarly  by  inspecting  every  transition  we  see  that  all  of  them  maintain  <p. 

h  :  h  0(yi  =  /1..3) 

The  proposition  ti„ 3  is  defined  as  atti  VattzVatts,  i.e.,  it  holds  whenever  Pj  is  somewhere 
in  {/1  #  ^3 }•  Potentially  falsifying  transitions  are: 

to  — *  <1:  setting  both  y\  and  <|..3  to  T. 

t3  -+  to'-  setting  both  y i  and  1 1 .3  to  F. 

All  other  transitions  do  not  modify  either  j/i  or  /1..3. 

h  •  H  D(y2  =  w»i„3). 

This  property  is  symmetric  to  /t. 

I3  :  h  n{(^2  A  ~m2]  3  (t  =  1)}. 

Note  that  initially  /2  (i.e.,  att2)  is  false  so  that  the  implication  is  true.  Potentially 
falsifying  transitions  are: 

/i  — »  /2:  sets  t  to  1. 

m(  — »  m2:  makes  ~m2  false. 

m2  — ♦  m3  while  t2:  by  Ilt  y(  =  T  so  this  transition  is  possible  only  when  t  =  1. 
All  other  transitions  trivially  maintain  the  invariant. 

:  h  0{[m2  A  ~/2]  D  (t  =  2)}. 

Can  be  shown  in  a  similar  way. 

We  may  now  obtain  the  invariant  ensuring  mutual  exclusion: 

I5  :  h  Q(~£3  V  ~m3). 

It  is  certainly  true  initially.  The  potentially  falsifying  transitions  of  this  invariant  arc: 

t2  -*  l3  while  m3:  but  then  y2  =  T  (by  /2)  and  f  =  1  (by  I3),  so  that  this  transition 
is  impossible. 

m2  —*  m3  while  t3:  impossible,  because  yi  =  T  (by  I\)  and  t  =  2  (by  /*). 

Thus  mutual  exclusion  has  been  formally  proved. 

5.  LIVENESS  PROPERTIES 

We  start  by  developing  a  proof  rule  which  is  more  convenient  to  apply  than  the  JUST  rule. 
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(J-I5VNT)  —  The  Just  Eventuality  Hule 

Let  <p  and  ip  be  two  state  formulas  and  TJ  a  justice  Bet 

A.  h  Every  r  £  7’  leads  from  <p  to  tp  V  ip 

B.  1-  Every  r  £  TJ  leads  from  <p  to  ip 

C.  H  <p  3  (ip  V  En<Med(TJj) 

<p  D  ip\lil> 


A  similar  rule  exists  for  fairness.  The  rule  can  easily  be  derived  from  the  JUST  rule  since  by  premise 
C  every  computation  having  in  it  a  tp  which  is  not  followed  by  a  ip,  will  have  TJ  continuously 
enabled.  This  by  the  JUST  rule  implies  p\j,ip. 

Let  us  apply  the  EVNT  rule  to  our  sample  mutual  exclusion  program  (Fig.  0).  Take  for 
example, 


ip  =  ip i  :  atl2  A  atm2  A  (t  =  2)  A  (j/i  =  T)  A  (y2  =  T) 
ip  =  ipo  :  at(3 

Clearly  the  only  transitions  enabled  on  a  state  satisfying  <p\  are  £2  — »  £3  and  m2  — ♦  m2.  Conse¬ 
quently  every  transition  leads  from  <p\  to  ip\  V  tp.  Taking  TJ  to  be  P1(  i.e.,  all  transitions  within 
Pi,  we  have  premises  A  and  U  obviously  satisfied.  Also  pi  implies  that  £2  — ♦  £3  and  hence  Pt  is 
enabled.  Thus  we  obtain  I -  y?i  3  (y^U^o)-  From  this  we  can  certainly  obtain 

1-  ipi  D  O<po 

since  pUq  implies  O  q. 

Next  let  us  take 

<p  =  1P2  ■  at£2  A  afmi  A  ( y\  =  T)  A  (y2  =  T) 

$  ~  Pi  V  <p0. 

We  now  take  TJ  to  be  P2.  Certainly,  the  only  transitions  possibly  enabled  under  p2  are  t%  — ►  £2, 
£2  — »  £3  and  mi  — *  m2.  The  first  transition  preserves  <p2.  The  second  transition  leads  from  <p2  to 
ipo-  The  third  transition  which  is  guaranteed  to  be  enabled  under  p2,  leads  from  y?2  to  <p\.  Thus 
every  transition  leads  from  ip2  to  ip\  V  pQ.  Wc  conclude  h  p2  D  0(p  1  V  <po).  From  this  we  may 
conclude  by  temporal  reasoning  and  the  previously  established  h  pi  D  Opo  that 

h  <p2  D  O <po- 


We  may  proceed  and  define  additional  pj,  j  =  3,  ...,6,  such  that  for  each  j,  I-  <pj  D 
0(VJk<Jv?*)  which  eventually  leads  to  1-  pj  D  Opo-  This  proof  strategy  of  constructing  a  finite 
chain  of  assertions,  each  eventually  leading  to  an  assertion  of  lower  index  can  be  summarized  by: 
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(CHAIN)  —  The  Chain  Reasoning  Proof  Principle 

Let  <po,ipi, ,  < pT  be  a  sequence  of  state  formulas. 

A.  I-  Every  t  G  T  leads  from  to  \J  <pj> 

i<i 

II.  For  every  t  >  0  there  exists  a  justice  set  TJ  =  Tf  such  that 

H  Every  r  G  T/  leads  from  <pi  to  ipj 

}<* 

C.  For  every  i  >  0  and  7'/  as  above: 

h  ^  D  [( V  V  Enabled(TxJ)\ 

3<i 

r 

H  (  V  <p*)  3  O<po 
>=o 


The  scheme  of  a  proof  according  to  the  CHAIN  principle  is  best  presented  in  a  form  of  a 
diagram.  In  this  diagram  we  have  a  node  for  each  <pi-  For  each  transition  r  leading  from  a  state 
satisfying  <pt  to  a  state  satisfying  ip,  with  j  4-  t  (and  hence  by  A,  j  <  i)  we  draw  an  edge  from  ipi 
to  ipj.  This  edge  is  labelled  by  the  appropriate  justice  set  to  which  the  transition  belongs.  Edges 
belonging  to  the  justice  set  which  is  known  by  premise  C  to  be  enabled  in  <pi  are  drawn  as  double 
edges.  For  example,  Fig.  1  contains  a  proof  diagram  for  proving  I-  att\  O  O  att3  for  the  mutual 
exclusion  program.  By  the  CHAIN  rule  we  actually  proved  h  (Vi=o^')  ^  °^3i  ^ut  since  tp&  is 

at  1 1  this  establishes  the  desired  result.  The  diagram  representation  of  the  CHAIN  rule  resembles 
closely  the  proof  lattice  advocated  in  [OL]  for  proving  liveness  properties. 


In  the  application  of  the  CHAIN  rule  we  may  freely  use  any  previously  derived  invariances  of 
the  program.  Thus,  if  h  □  /  is  any  previously  derived  invariance,  we  may  use  <pi  A  J  instead  of  <pi 
to  establish  any  of  the  premises.  This  amounts  to  considering  the  sequence  <po  A  /,  . . . ,  <pr  A  / 
instead  of  the  original  sequence  of  assertions.  Thus  in  the  diagram  (Fig.  1)  we  did  not  have  an 
assertion  corresponding  to  (t3l m3)  since  by  the  previously  established  invariances  such  a  situation 
is  impossible,  in  particular  no  transition  could  lead  from  /  /\<pt  to  (£3,  m3).  Similarly  no  transition 
from  (^2>mi)  to  l3  has  been  drawn  in  view  of  I3. 


The  chain  reasoning  principle  assumed  a  finite  number  of  links  in  the  chain.  It  is  quite  adequate 
for  finite  state  programs,  i.c.,  programs  where  the  variables  range  over  finite  domains.  However, 
once  we  consider  programs  over  infinite  domains,  such  as  the  integers,  it  is  no  longer  sufficient 
to  consider  oidy  finitely  many  assertions.  In  fact,  sets  or  assertions  of  quite  high  cardinality  arc 
needed.  The  obvious  generalization  to  infinite  sets  of  assertions  is  to  consider  a  single  state  assertion 
y?(«,  s),  parametrized  by  a  parameter  a  taken  from  a  well-founded  ordered  set  (A,  -<).  Obviously, 
an  important  feature  of  our  chain  of  assertions  is  that  program  transitions  led  from  ipi  to  ipj  with 
j  <  i.  This  property  can  also  be  stated  for  an  arbitrary  well-founded  ordering.  Thus  a  natural 
generalization  of  the  chain  reasoning  rule  is  the  following: 
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(WELL)  —  The  Well  Founded  Liveness  Principle 
Lcl  (A,  -<)  be  a  well-founded  ordered  set. 

Let  <p(at)  =  ip(a,  a)  be  a  parametrized  state  formula,  and  ip  a  state 
formula. 

Let  A  :  A  -*  J  be  a  helpfulness  function  identifying  for  each  q  €  A 
the  helpful  justice  set  A(a)  £  J. 

A.  h  Every  transition  r  6  T  leads  from 
ip(a)  to  V  V  3>9((j3  <  a)  A 

B.  h  Every  transition  r  £  A(a)  leads  from 
ip(a)  to  V  V  3j3((/3  -<  a)  A  p(/3)) 

C.  h-  $?(a)  D  V  3/3((/?  ■<  a)  A  £>(/?))  V  Enabled  (A(a))J 

H  (3a.^(a))  D  O  ip 

In  order  to  obtain  a  complete  rule  for  liveness  properties  we  have  to  treat  the  parametrized 
assertion  v?(a,s)  as  an  auxiliary  assertion: 

(LIVE)  —  A  Complete  Principle  for  Liveness 

Let  p,  q  be  state  formulas  and  <p(a),  ip  a  parametrized  assertion  pair 
as  in  WELL. 

Assume  premises  A,  B,  C  as  in  WELL,  and 

D.  h  □  p,  i.e.,  p  is  an  invariant 

E.  I-  (q  A  p)  D  (3a. £>(»)) 

I-  q  D  Oip 

We  refer  the  reader  to  (LPSj  for  a  completeness  proof  of  the  LIVE  principle.  Completeness 
here  means  that  given  two  state  properties  q  and  ip  such  that  q  D  O  ip  is  a  valid  statement  over 
all  the  computations  of  the  program  P,  it  is  always  possible  to  find  state  predicates  p,  <p(a,a) 
with  a  €  A  and  (A,  -<),  A  as  in  WELL  that  satisfy  premises  A  to  E.  Note  that  premise  D  requires 
preliminary  derivation  of  the  invariance  of  p  which  can  be  done  using  the  INV  rule. 

6.  PRECEDENCE  PROPERTIES 

As  a  key  operator  in  expressing  and  establishing  precedence  properties  we  take  the  weak  until 
operator,  11,  to  which  we  will  refer  here  as  the  unless  operator . 

The  unless  operator  may  be  defined  in  terms  of  the  standard  until  operator  as: 

pUq  =  Op  V  (p  U  q). 

Thus,  in  contrast  to  pU?  it  docs  not  require  that  q  eventually  happen.  But  in  the  case  that  q  never 
happens  p  is  required  to  hold  forever. 


Even  though  it  is  introduced  here  as  a  derived  operator,  it  can  be  adopted  as  the  basic  operator 
Tor  establishing  precedence  properties.  This  is  because  both  the  until  and  precede  operators  can  be 
expressed  in  terms  of  the  unless  operator: 

pU  q  =  (piiq)  A  Oq 
p?q  =  (~g)il(pA~q). 

We  can  also  express  the  nested  until  operator  by  considering  the  nested  unless  operator.  Let 
Vr,  V’r-i,  . . . ,  Vi»  Vo  be  a  sequence  of  formulas  then 

Vr  UVr-1  U  •  -  -  Vl  i^O  =  il(  •  -  .  (-01  ilV»o))*-*) 

holds  on  a  sequence  a  =  so,  81,  •  • .  if  there  exists  a  sequence  of  indices  0  =  tr  <  »r_i  <  . . .  < 
*i  <  to  <  w  such  that  for  every  /  >  0  and  j,  it  <  j  <  it- 1,  rf>t  holds  on 

ffW  —  8j,8j+i,  . . . 

and  if  i0  <  w  then  Vo  holds  on  a**0).  Note  that  some  of  the  it  may  be  equal  to  one  another,  and 
also  to  lj  in  which  case  some  of  the  V/  bold  in  empty  periods. 

An  alternative  description  is  that  Vr  it  . . .  Vi  H  Vo  holds  on  a  iff  cither  a  satisfies  VrU  . . . 
ViUVo  or  for  some  j,  0  <  j  <  r,  a  satisfies  VrU  •  ■  •  Vj'+lU  □  Vj.  In  the  case  j  —  r,  a  satisfies 
□Vr- 

Then  we  can  express  the  nested  until  by  an  extension  of  the  previous  formula  for  a  simple 
until: 

VrUVr-lU  ...  ViUVo  =  (Vr  HVV-1  il  .. -Vl  £1^0)  A  O  Vo- 

Let  us  justify  this  equivalence.  The  direction  in  which  the  nested  until  implies  the  nested 
unless  and  the  eventual  ocurrence  of  Vo  is  obvious.  Let  us  therefore  consider  the  other  direction. 

Assume  that  Vr  it  •  •  •  V l  LI  Vo  and  O  Vo  both  hold  on  a  sequence  a.  By  the  interpretation  of 
nested  unless  there  exists  a  partition: 

0  =  t,  <  *r-l  <  ...  <  *1  <  *0  <  W 

such  that  V/  holds  between  it  and  it- 1  for  l  >  0  and  Vo  holds  at  t'o  if  it  is  finite.  Since  Vo  must 
occur  somewhere  in  o  let  j  be  the  minimal  index  such  that  Vo  holds  on  a^'.  If  j  =  t'o  <  w, 
then  the  same  partition  justifies  VrU...  ViUVo  on  Otherwise  there  exists  some  t  such  that 
it  <  j  <  it  -  f  In  this  case  the  partition  up  to  it  and  then  j  justifies  VrU  . . .  V/UVo  from  which 

VrU  . . .  V<UV«-i  •  •  •  ^iUVo 

follows  by  letting  Vi-t . V l  hold  over  empty  periods. 

Thos,  expressively  at  least,  the  unless  operator  seems  to  be  an  appropriately  basic  operator. 
But  we  claim  that  the  choice  or  the  unless  operator  is  appropriate  on  proof  theoretic  grounds  as  well. 
By  inspecting  the  expression  of  unt»l  formulas  in  terms  of  unless  formulas  we  find  a  resemblance 
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to  the  relation  between  the  concepts  of  total  and  partial  correctness.  Total  correctness,  which  is  a 
liveness  property,  can  be  expressed  as  the  conjunction  of  partial  correctness,  which  is  an  invariance 
property,  and  termination,  which  is  another  livcncss  property  but  simpler  than  the  original.  In 
quite  the  same  way  we  can  express  the  until  property  as  a  conjunction  of  an  unless  properly,  which 
we  regard  as  extended  invariance  property  and  the  simpler  livencss  property  O  V»o. 

In  practice,  if  we  want  a  single  proof  principle  that  will  cover  properties  of  the  following  three 
subclasses 

(а)  <p  D  (p  U  q) 

(б)  <p  O  (pPq) 

(C)  <P  3  (Pilfl) 

then  the  unless  operator  is  a  good  choice. 

In  order  to  establish  (a)  we  establish  separately 
h  (<p  D  pilq)  and  1-  ip  Z3  O  q, 

which  are  implied  by  (a).  The  first  will  be  established  by  using  the  unless  proof  principle.  The 
second  is  a  livencss  property  and  can  be  established  by  the  WELL  rule  or  its  extensions. 

Similarly  in  order  to  establish  (b)  it  is  sufficient  to  establish  <p  D  (pilq)  where  p  is  ~g  and  q 
is  p  A 

We  could  not  have  used  the  until  operator  in  a  similar  role,  i.e.,  reducing  proofs  of  properties 
of  the  subclasses  (b)  and  (cl  to  these  of  (a).  This  is  for  example  because  if  <p  Z)  (pilq)  is  a  valid 
statement,  then  certainly  so  is  tp  D  (dp  V  (pUg)),  but  it  docs  not  imply  that  either  ip  D  dp  or 
<p  D  (pllg)  arc  valid  statements.  Proving  precede  statements  would  cause  similar  problems. 

The  fact  that  the  weak  form  of  the  until  operator  is  more  basic  than  its  strong  form  seems 
to  have  been  intuitively  sensed  in  (L2j  where  a  while  operator  is  introduced  which  is  equivalent  to 
pH~g. 

Consequently,  we  will  proceed  by  developing  proof  principles  for  the  unless  operator  il.  We 
begin  by  formulating  a  core  rule: 


(CORE-U)  —  Core  Rule  for  Unless  Properties 

Let  <pT,  pr-i,  •  ■  ■  iPo  be  state  formulas 

A.  For  every  i  >  0, 

I-  Every  r  €  T  leads  from  <pi  to  \J  <p}- 

j<i 

r 

H  (y  <Pi)  D  (<priXipr-lii  ...<PliXip0) 
«•= 0 


Let  a  be  a  computation  whose  first  stale  s o  satisfies  <Pj  for  some  0  <  j  <  r.  Assume  first  that . 
j  >  0.  Define  iT  =  ir_,  =  ...  =  iy  =  0.  By  premise  A,  sj  must  satisfy  some  pi  for  l  <  j.  If 
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t  =  j  we  proceed  until  we  find  an  s*  that  satisfies  <pt  Tor  l  <  j.  If  we  never  find  such  ^  state  we 
may  take  iy_j  =  ...  =  i0  =  u>.  Otherwise  we  take  iy_.j  =  ...  =  it  =  k  and  proceed  similarly 
beyond  s*  unless  /  =  0.  This  construction  shows  that  if  «o  satisfies  <py  for  some  j  then  a  satisfies 
tpr  il  . . .  il^o-  The  case  j  =  0  is  even  simpler. 

We  can  make  a  complete  rule  out  of  the  CORE-U  rule  by  strengthening  the  preconditions  and 
weakening  the  post  conditions. 

(UNLS)  —  Complete  Rule  for  Unless  Properties 

Let  tpT,  . . . ,  <po,  Tpr,  . . . ,  V’Oi  P>  <7  he  state  formulas  such 
that: 

A.  For  every  i  >  0, 

h  Every  t  €  T  leads  from  <Pi  A  p  to  \J  ipj 

/<• 

B.  I-  dp 

r 

C.  h  (<7  A  p)  3  ( \/  <Pi ) 

«'=0 

D.  For  every  i,  0  <  t  <  r 
h  ( <pi  A  p)  3  tpi 

I-  q  3  [rpr  UVV-1  a  . .  .  Tpt  UtP0) 

Let  us  consider  the  application  of  this  rule  to  the  analysis  of  the  mutual  exclusion  algorithm. 
We  take  (the  ip^'s  refer  to  the  assertions  in  Fig.  1): 

q  :  at  la 

<po  =  xpo  :  atl3 

•Pi  —  <Pi..3  •  k  A  [m0,i  V  (m2  A  (f  =  2))j 

•P2  —  Va  •  A  m 3 

•P3  =  t-2  a  ms  A  (t  =  1) 

ipi  =  ipz  —  ~rr»3,  =  m3 

p  —  the  conjunction  of  all  the  invariants  Iq  A  ...  A  /j 


The  diagram  certainly  establishes  that  <pi,  *  >  0,  leads  to  \J <Pj- 

} <i 


It  is  also  easy  to  show  that  (q  A  p)  3  (  <pi )  and  that  <pi  3  tpi  for  t  =  0,  . . . ,  3.  Thus  we 


may  conclude: 


P  t%  3  (~m3  arr»3  a~m3  a/3). 
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This  establishes  the  property  of  1-boundcd  overtaking  from  It-  This  means  that  once  l\  is  at 
It,  /  j  may  be  at  m3  at  most  once  before  I\  gets  to  his  critical  section  at  I3. 

An  alternative  derivation  of  the  same  result  could  have  been  achieved  by  taking  the  <p' s  in  the 
rule  to  be  identical  to  the  <p’a  in  the  diagram.  This  leads  to: 

H  It  O  (v?5  U<P4  At iiy>a  H <f>\  U<Po)- 

We  may  now  use  the  collapsing  theorem  for  the  unless  operator: 

(pilqltr)  3  ((pVg)llr) 


to  obtain: 


It  3  (v?5  V  <Pi  V 

which  is  equivalent  to  the  above  after  we  replace  each  of  the  ip^’s  by  the  weaker  V’i- 

Having  obtained  1-boundcd  overtaking  from  the  point  that  P,  is  at  t3  we  may  inquire  whether 
the  same  holds  from  the  point  that  Pt  is  at  t j .  As  the  analysis  shows  in  Fig.  2  the  best  we  can 
hope  for  is  2-bounded  overtaking.  The  diagram  in  Fig.  2  establishes 

h  D  (<P%  Uv?5..7  U  <Pi  ilipo) 

from  which  2-bounded  overtaking  is  easily  established. 


7.  COMPLETENESS  OF  THE  UNLS  RULE 

Next  we  will  show  that  the  UNLS  rule  presented  above  is  complete  for  establishing  nested 
unless  properties. 


Proof: 

Let  q,  Vv  1  .  • . ,  V’o  be  state  properties  such  that  the  statement  q  3  (Vv  ilVv-t  • .  -  V’l  if  V>o)  ,a 
valid  on  all  admissible  computations.  We  will  show  that  there  exist  state  properties  p,  <pr,  . . . ,  tp0, 
which  arc  first-order  expressible  over  the  integers,  such  that  all  the  premises  of  the  UNLS  rule  are 
satisfied. 

As  p  we  choose 

p(s)  s  Acc(b)  =  {There  exists  an  initialised  compulation  containing  #}. 

Clearly  p  is  an  invariant  of  all  admissible  computations  so  that  premise  B  is  satisfied. 

Let  o  be  a  finite  segment  of  a  computation,  i.c.,  a  finite  sequence 

U  Tt  Tfc 

O  —  So  - >  <1  - >  ,  .  .  - >  Sit 

such  that  8j+|  €  /T(«»)  for  each  i  =  0,  . . . ,  k  —  1. 
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Wc  say  that  a  satisfies  a  temporal  formula  w  if  a’s  infinite  extension  *o.  *1 . a*,  «k,  ... 

satisfies  to. 

Let  a  be  a  computation  satisfying  tpr  il . .  .tpi  ilipQ.  It  can  be  verified  that  any  finite  prefix  of 
a  is  a  computation  segment  that  also  satisfies  t/>T  il  . .  .ip\  il  V*o- 

Let  us  define  now  q>i  for  »  =  0, 1,  . . .  ,r  by  <Pi(s)  =  true  iff 

(o)  Every  computation  segment  originating  at  s  satisfies  ipi  Uipi-i  . .  .ipi  Uipo 
(6)  The  index  i  is  the  smallest  index  for  which  (a)  holds. 

Let  us  show  that  the  sequence  of  <p\  s  defined  in  this  way  satisfies  premises  A,  C  and  D  of  the 
UNLS  rule. 

Consider  first  premise  A.  Let  s  be  a  state  satisfying  ipi,  for  i  >  0.  Let  s'  be  a  state  such  that 
s'  €  /T(s).  Consider  any  computation  segment  originating  in  s': 


We  can  obtain  from  it  a  computation  segment: 

t  .  n  t2  Tfc 

a  :  s  — >»  — — >  . . .  — >s*. 


By  our  assumption  about  s,  <r  must  satisfy  i/i, •  li  ...  lX-0o>  It  can  be  shown  that  due  to  i  >  0, 
and  the  minimality  of  i  this  implies  that  o'  must  also  satisfy  V’til . . .  Utp0.  Thus  wc  have  identified 
at  least  one  index,  i,  such  that  clause  (a)  is  satisfied  for  %  and  s'.  Let  j  >  0  now  be  the  minimal 
index  satisfying  (a)  for  s'.  Then  (6)  is  also  satisfied  and  we  have  that  s'  satisfies  <pj  for  j  <  ».  This 
establishes  premise  A. 

Next,  consider  premise  C.  Let  s  be  a  state  satisfying  q  and  p.  It  is  therefore  an  accessible  state 
satisfying  q.  By  the  assumption  that  q  D  (ip,  il  . . .  ilV’o)  is  a  valid  statement  for  all  admissible 
computations,  every  computation  originating  in  a  saisfies  ip,  il  ...  il  V’o-  Consequently  every 
computation  segment  originating  in  a  satisfies  ip,  il  ...  ilV'o-  Thus,  clause  (a)  of  the  definition  of 
<Pi  is  satisfied  for  »  ==  r.  Let  j  be  the  minimal  index  satisfying  clause  (o).  Then  <p}(«)  holds  and 
3  ^  r- 

To  show  premise  D,  let  s  be  a  state  saisfying  ipi-  Consider  first  i  =  0.  The  zero  version  of 
ipi  il  . . .  ilV>o  is  tpo  by  itself.  Since  every  finite  computation  segment  originating  in  a  must  saiBfy 
ipo  which  is  a  state  property,  it  follows  that  s  satisfies  ipQ.  Consider  next,  i  >  0.  Since  *  was 
the  minimal  index  satisfying  clause  (a),  there  must  exist  a  computation  segment  o  originating  in 
s  which  satisfies  ipi  U  . . .  Utpo  but  not  tpii  il  . . .  ilV’o-  Consequently  the  initial  section  of  cr 
satisfying  V*  must  be  non-empty  and  therefore  a  must  satisfy  rp%.  Thus,  we  have  <pi  D  ipi. 


We  claimed  that  the  <pi  8  defined  above  are  first-order  expressible  over  the  integers.  This  is  due 
to  the  fact  that  clause  (a)  refers  only  to  finite  computation  segments.  This  is  a  direct  consequence 
of  the  fact  that  we  deal  with  the  unless  operator.  No  similar  first-order  definition  is  possible  for 
the  until  operator.  . 
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8.  DIRECT  PROOFS  OF  UNTIL  PROPERTIES 


In  spite  of  our  recommendation  of  splitting  a  proof  of  until  property  into  a  proof  of  a  similar 
unless  property,  followed  by  a  liveness  proof  of  O  ip,  there  are  many  cases  in  which  an  until  property 
can  be  directly  obtained  by  a  small  modification  of  the  liveness  proof.  As  we  have  seen  both  the 
CHAIN  rule  and  the  UNLS  rule  call  for  a  sequence  of  assertions,  such  that  the  computation  always 
lead  from  p ,  to  pj  with  j  <  i.  The  CHAIN  rule  stipulates  in  addition  a  strict  decrease  under 
certain  conditions.  It  is  often  the  case  that  the  same  chain  or  assertions  used  in  the  CHAIN  rule 
can  be  used  to  establish  a  nested  until.  In  fact,  in  much  the  same  way  that  we  have  justified  the 
CHAIN  rule  we  can  with  the  same  premises  obtain  a  stronger  result: 

Taking  0  <  pi  <  P2  <  ...  <  p(  =  r  be  a  partition  of  the  index  range  [0...r]  into  a 
contiguous  segments,  we  may  formulate  the  following  chain  principle  for  until  properties: 

(U-CIIAIN)  —  The  Chain  Rule  for  Until  Properties 

Let  <p0,  p\,  . . . ,  ipT  be  a  sequence  of  state  formulas,  and  0  <  pi  <  pa  < 

...  <  p,  =  r  a  partition  of  [I...r], 

A.  I-  Every  r  G  T  leads  from  p<  to  for  i  =  1,  . . .  ,r. 

}<i 

B.  for  every  i  >  0  there  exists  a  justice  set  TJ  =  Tf  such  that: 

1-  Every  r  €  Tf  leads  from  Pi  to  ( \f  v?y) 

/<» 

C.  for  *  >  0  and  Tf  as  above: 

H  Pi  3  [( M  Pj)  V  Enabled{Tf)\ 
j<i 

( V  p<)  3  (  V  u  (  V  v?>)  u . . .  ( y  Pi)  u  po 

»=0  j=Pi  — i+l  + 1  j  — 1 


The  conclusion  states  that  starting  at  a  state  that  satisfies  one  of  the  Pi's,  »  =  0,  . . .  ,r,  we 

p. 

arc  guaranteed  to  have  a  period  in  which  (  pj)  continuously  hold,  followed  by  a  period  in 

>=p.-j  +1 

p.-i 

which  (  \J  Pi)  continously  holds,  etc.,  until  finally  po  is  realized.  Any  of  these  periods  may 
be  empty. 

To  justify  the  soundness  of  this  conclusion  we  first  prove  it  for  the  most  refined  partition 
possible,  namely: 

r 

(*)  (  V^O  3  (PrliPr-lUpr -2U  .  . -PiUpo)- 

i—0 

This  is  proved  in  a  way  similar  to  the  justification  of  the  corresponding  liveness  principle.  We  show 
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by  induction  on  n,  n  =  0, 1,  . . .  ,r,  that 


n 

H  (\/  <Pi)  3  (v=nU^>„  -lU  .  .  .£>lUv?o)- 

•= 0 

For  n  =  0wc  have  I-  ipo  3  <po  from  which  follows  trivially 
<po  D  ipoM<po’ 


Assume  that  the  statement  (*)  above  has  been  proved  for  a  certain  n  and  consider  its  proof 
for  n  +  1. 

n 

Consider  the  EVNT  rule  with  ip  =  v^n+i*  V1  —  (  V  'Pi)-  As  shown  in  the  proof  of  the  livencss 

t=l 

case  all  the  premises  of  the  EVNT  rule  are  satisfied.  Consequently  we  may  conclude: 

n 

h  <Pn  +  l  3  V9n+lU(\/  <pi). 

1=1 

By  the  induction  hypothesis  and  the  monotonicity  of  the  U  operator  this  yields 
I"  <Pn+l  3  (v3„+iUv„U  . . .  vsiU^o)- 
Due  to  h  v  D  (u Uv),  the  induction  hypothesis  can  also  be  written  as 

n 

h  (\/ <Pi)  3  (v3„+iU<pnU  ...ystUiPo). 

«=o 

Taking  the  disjunction  of  the  last  two  statements  gives 

n+l 

H  ( V  Vi)  3  (40„+iU(pnll...VPlUv?o), 

«=0 

which  is  the  required  statement  (*)  for  n  +  1. 

Consider  now  a  coarser  partition: 

0  <  pi  <  p2  <  ...  <  p,  =  r. 

By  consecutively  merging  any  two  contiguous  assertions  that  fall  into  the  same  cell,  using  the 
collapsing  rule: 

b  (p<+iU(y\Uip))  3  ((¥\+ 1  V  <Pi)\X<p), 

we  obtain  the  coarser  conclusion: 

H  (V^O  3  ({  V  pi)  U(  V  IPi)  U  ...  ( \/lPt)  U  iPo)-  , 

'  j—p.-i+l  i=P.-»  +  l  j'=1 
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In  our  mutual  exclusion  program,  by  reference  to  Fig.  1  it  is  easy  to  use  the  U-CHAIN  rule 
and  obtain: 

/a  3  (^>5Uy>4U£>1..3Upo)i 

from  which  the  I-bounded  overtaking  from  f2  is  obtained  by  the  monotonicity  of  the  until  operator 
(i.e.,  replacing  formulas  by  weaker  formulas). 

A  natural  extension  of  the  U-CHAJN  rule  to  programs  that  require  infinite  chains  of  assertions 
uses  again  well-founded  ordered  sets. 

Let  (A,  -<)  be  a  well-founded  ordered  set.  We  require  however  that  the  ordering  is  total  (or 
linear).  That  is,  for  every  two  distinct  elements,  ai,a2  £  A  either  oq  -<  a2  or  <*2  -<  «i- 

(U-WELL)  —  Well-Founded  Until  Rule 

Let  (A,  -<)  be  a  well-founded  totally  ordered  set. 

Let  y?(«)  =  <p[a,  s)  be  a  parametrized  state  formula. 

Let  A  :  A  -*  J  be  a  helpfulness  function  identifying  for  each  a  e  A  the  helpful 
justice  set  h(a)  €  J. 

Let  «i  -<  u2  <  ...  -<  a,  be  a  finite  sequence  of  elements  of  A. 

A.  h  Every  transition  t  €  T  leads  from 

ip(a)  to  V  30  ((0  <  at)  A  <p(0)) 

B.  I-  Every  transition  r  €  h(a)  leads  from 

V?(o)  to  %l>  V  30 ((0  <  a)  A  <p(0)) 

C.  h  p(a)  D  [rf>  V  30 ((0  <  a)  A  <p(0))  V  Enablcd(h(a))\ 

l-  3a((a  <  a3)  A  y>(a))  D 

[3/8((a._i  <0<<*,)r^>{0))\L 

3/3((o._j  ■</*:<  <*._,)  A  p(/J))U  ... 

30{{0<ax)  A  <p(0))  U*] 

By  a  combination  of  the  completeness  of  the  WELL  rule  for  liveness  properties  and  the  UNLS 
rule  for  unless  properties  we  can  extend  the  above  rule  to  a  complete  rule  for  until  properties. 


0.  DECISION  PROCEDURES  FOR  FINITE  STATE  PROGRAMS 

The  question  of  whether  a  given  program  has  a  certain  property  expressed  by  a  temporal  for¬ 
mula,  is  in  general  highly  undecidablc.  However,  for  a  very  important  restricted  class  of  programs, 
this  question  is  decidable,  namely  for  finite  state  programs.  Finite  state  programs  are  programs 
whose  variables  range  each  over  a  finite  domain.  These  programs  generate  only  finitely  many 
different  states  and  a  joint  finite  transition  diagram  over  these  states  can  be  constructed  such 
that  any  compulation  is  a  maximal  path  in  this  finite  directed  graph.  The  literature  abounds  in 
many  special  decision  procedures  for  testing  for  deadlock  situations,  starvation,  etc.  on  programs 
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represented  by  finite  transition  diagrams.  All  these  are  special  cases  of  the  general  result  which 
states  that  testing  a  temporal  formula  over  a  finite  state  program  is  decidable.  The  general  deci¬ 
sion  procedure  for  testing  a  temporal  formula  <p  on  a  finite  state  program  P  consists  in  checking 
the  implication  Wp  D  tp  for  general  validity.  In  this  implication  Wp  is  a  formula  characterizing 
all  admissible  computations  of  P.  If  P  is  finite  state  then  both  Wp  and  tp  may  be  represented 
as  propositional  temporal  formulas.  Consequently  we  test  a  propositional  temporal  formula  for 
general  validity.  As  shown  in  [PSj,  it  can  be  done  in  time  exponential  in  the  si/.e  of  P  and  <p.  This 
exponential  time  complexity  has  been  a  source  of  criticism  of  linear  temporal  logic  in  [CBS]. 

In  this  section  we  show  that  when  the  temporal  property  tp  to  be  tested,  falls  into  one  of  the 
property  classes  discussed  here,  then  there  exists  an  efficient  decision  procedure  polynomial  in  the 
size  of  P  and  p  for  testing  < p  on  P. 

Let  P  be  a  program  consisting  of  m  processes  P\ ,  . . . ,  Pm.  Let  each  process  P,  be  presented 
as  transition  diagram  with  set  of  nodes  Li-  The  program  variables  j/j,  .  . .  ,y„  assume  values 
over  finite  domains  D\ ,  ... ,  Dn  respetively.  Then  the  state  set  S  of  the  program  P  is  the  set  of 
all  possible  tuples  (llt  . .  .  ,lm ;  rju  ...  ,r/n)  with  ti  e  Li,  *  =  1,  .  . .  ,m,  and  rjj  6  D,  for  j  — 
1,  ...,n.  Consequently 


|S|  <  |Li | 


X  | Lm |  X  [£>,]  X  •  •  •  X  |Z>„ 


We  construct  for  P  a  joint  transition  diagram  Tp  with  S  as  nodes,  and  an  edge  s 
every  pair  of  states  a,  s'  and  a  transition  r  in  P,  which  leads  from  s  to  s'. 


P, 


s'  for 


In  order  to  generate  only  accessible  states  we  start  from  all  states  satisfying  0  and  include  in 
Tp  only  states  which  are  derivable  from  states  which  are  already  included  in  Tp.  Fig.  3  shows  the 
diagram  Tp  Tor  the  mutual  exclusion  algorithm.  States  in  this  diagram  have  the  form  my,  t). 
We  have  not  included  the  values  of  j/i ,  j/2  since  in  all  accessible  states  they  arc  uniquely  determined 
by  the  location  values  /,  and  nij.  The  initial  state  in  this  diagram  is  sq. 

We  proceed  to  describe  three  algorithms  which,  for  properties  in  each  of  the  three  classes,  will 
determine  whether  a  finite  state  program  P  has  this  property.  The  algorithms  will  be  linear  in  the 
size  of  Tp.  Let  us  denote  N  =  |Tp|. 


10.  TESTING  INVARIANCES 

Let  the  formula  to  be  tested  be  of  the  form  </  D  Ely?.  We  can  check  whether  all  paths  in  Tp, 
and  hence  all  admissible  computations  of  P,  satisfy  <7  D  □  y?  by  the  following  procedure: 

PI:  Locate  in  Tp  all  states  which  satisfy  <7.  For  each  such  state  s  construct  the  transition 
diagram  7p(«)  which  includes  exactly  all  the  states  accessible  from  s.  Check  that  each 
*'  6  7p(a)  satisfies  <p. 

If  all  these  steps  succeeded  then  q  D  Dyj  is  valid  for  P.  We  can  organize  the  procedure  so 
that  it  takes  no  more  than  m  ■  N  steps  where  N  —  |7p|  and  m  is  the  number  of  processes  and 
hence  the  maximal  degree  of  Tp.  This  is  because  if  s2  £  7p(«i)  satisfies  q  then  7p(a 2)  C  7p(a|) 
and  no  separate  check  is  needed  for  s2  if  we  have  already  checked  7p(si). 
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Consequently  we  have  to  access  each  state  at  most  once,  and  then  may  have  to  explore  each 
of  its  edges. 

For  checking  invariances  wc  may  actually  suggest  a  simpler  procedure:  mark  in  Tp  each  state 
which  is  accessible  from  a  </-state  {a  state  saisfying  q).  Then  check  that  all  the  marked  s  ates 
satisfy  p.  However  the  complexity  of  the  two  procedures  is  identical  and  the  PI  procedure  above 
conforms  better  with  the  procedures  presented  below  for  the  other  classes. 

We  may  for  example  apply  PI  to  test  for  the  invariance  of  /o  to  I5  derived  for  the  mutual 
exclusion.  All  these  properties  have  the  form  □jjsowe  may  take  q  =  true  and  consider  Tp(s)  for 
all  accessible  states.  However  since  every  accessible  state  s  G  Tp(so)  =  Tp,  it  is  sufficient  to  check 
that  all  states  in  Tp  satisfy  <p. 

Indeed  we  can  easily  check  for  example  that  there  are  no  states  in  which  1 2,  ~m 2  and  t  =£  1 
are  all  true.  In  other  words  every  state  in  which  both  1 2  and  ~m2  are  true,  i.c.,  «6,  «i9,  also  has 
t  —  1  in  it.  This  establishes  I3.  Similarly,  there  is  no  accessible  state  in  which  both  1 3  and  m 3 
hold,  establishing  I&. 

It  is  easy  to  prove: 


Lemma: 

A  formula  q  D  □  p  is  valid  for  P  iff  the  procedure  PI  applied  to  Tp  succeeds. 


11.  TESTING  LIVENESS 

Let  the  formula  to  be  tested  be  of  the  form  q  O  Op.  Let  8  G  Tp  be  an  accessible  state.  Let 
ir  =  a  1,  . . . ,  s/t  be  a  finite  path  in  Tp.  We  say  that  n  is  a  non -p  path  if  none  of  «j,  .  . . ,  s*_i  satisfy 
p.  Note  that  s*  is  allowd  to  satisfy  ip.  We  define  Tp(a,p)  to  be  the  directed  graph  containing  all 
states  in  Tp  which  are  accessible  from  a  by  non-^>  paths.  The  graph  Tp[a,p)  can  be  efficiently 
constructed  as  follows: 

(а)  Put  s  in  Tp(s,p) 

(б)  For  every  s'  G  Tp(s,  p )  which  does  not  satisfy  p,  add  all  the  successors  of  s'  to 
Tp{a,<p). 

Let  us  decompose  Tp(s,ip)  into  maximal  strongly  connected  components.  It  is  known  that 
when  we  consider  edges  between  the  components,  it  is  always  possible  to  order  the  components  in 
a  topological  sorting  order  K\,  ...  ,Kr,  such  that  if  there  is  an  edge  from  a  node  in  K,  to  a  node 
in  Kj  then  necessarily  i  <  j.  Components  such  that  there  arc  no  edges  leading  out  or  them  arc 
called  terminal  components. 

We  suggest  the  following  test  Tor  checking  that  all  just  computations  in  Tp[8,<p)  satisfy  O  <p: 
<p-Livcnea$  Teat: 

Decompose  Tp(s,p)  into  a  topologically  sorted  list  of  maximal  strongly  connected  com¬ 
ponents:  K\,  . . . ,  Kr. 

For  each  i  =  1,  . . . ,  r  check: 
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(«)  if  K,  is  terminal  then  it  consists  of  a  single  node  satisfying  p. 

(6)  If  Kx  is  nonterminal,  then  there  must  exist  a  j,  j  =  1,  . . .  ,m,  such  that  every 
state  s  £  Kx  has  a  Pj  transition  leading  out  of  Kx. 


Lemma: 

All  just  compulations  in  Tp(s,p)  realize  Op  iff  the  <p- live  ness  test  succeeds. 


Proof: 

Assume  that  the  test  succeeds,  Let  a  be  any  maximal  computation  in  Tp(s,  p).  By  the  ordering 
of  the  K i,  ...  ,K r,  from  a  certain  point  on,  the  computation  must  be  fuily  contained  in  a  single 
component,  Kt  say.  If  Kt  is  terminal  then  the  computation  terminates  once  it  has  entered  Kt, 
and  the  last  state  satisfies  p  by  ( a )  above.  If  Kt  is  not  terminal  then  being  contained  in  Kt  and 
by  (ft)  it  must  be  infinite,  since  no  state  in  Kt  is  terminal.  Furthermore,  no  Pj  transition  is  ever 
taken  once  the  computation  has  entered  Kt,  otherwise  it  would  have  left  Kf  Consequently  the 
computation  is  unjust  with  respect  to  Pj.  Thus  all  just  computation  must  eventually  realize  p. 

Assume  that  the  test  fails.  Then  cither  there  is  a  terminal  component  Kt  not  satisfying  p,  or 
there  exists  a  nonterminal  component  Kx  not  satisfying  condition  (ft).  In  the  first  ease  we  construct 
a  computation  a  leading  from  a  to  Kx,  and  then  either  stopping  if  the  state  a  £  /f,'  is  terminal  or 
looping  within  Kx  in  a  loop  that  spans  all  of  Kx.  Since  states  within  Kx  do  not  satisfy  p  (actually 
none  of  them  docs)  this  can  be  shown  to  be  a  just  '-omputation  not  realizing  p.  In  the  second 
case,  we  construct  again  a  computation  a  reaching  Kx  and  continuing  in  a  loop  spanning  all  the 
transitions  within  Kx.  By  violation  of  condition  (ft)  every  process  P}  that  has  not  terminated  yet 
has  a  Pj  transition  internal  to  Kx.  Thus  by  traversing  all  transitions  in  Kx,  we  generate  a  just 
computation  which  does  not  realize  p. 

Note  that  the  construction  of  Tp,  its  decomposition  into  strongly  connected  components  and 
applying  the  liveness  test  arc  all  linear  in  the  size  of  Tp. 

In  order  to  check  that  q  3  O  p  is  valid  for  P  wc  could  in  principle  take  each  a  6  Tp  which 
satisfies  r/,  construct  Tp[s,p)  and  apply  the  ^>-liveness  tost  to  it.  But  we  can  actually  be  more 
efficient  as  follows: 

Let  si,  ...,8k  be  all  the  restates  in  Tp.  Construct  Tp{s\  ,py)  and  check  it  for  ^[-liveness, 
where 


<P  l(»)  =  £>(s). 

Next,  construct  Tp[»2,tP2 )  and  check  it  for  ^2-livcncss,  where 
p2(s)  =z  ^(.s)  V  a  £  7>(s,,v?i) 

Thus  in  constructing  7Y>(s2,y92)  wc  may  stop  the  analysis  once  the  computation  enters 
Tp(* \,p\),  since  we  already  know  that  all  computations  there  realize  p. 

In  general  we  construct  Tp[sx,  px)  and  check  it  for  Pi -liveness  for  *  =  1,  . . .  ,k  where: 

P.(»)  =  ¥>(»)  V  [«£  (J '/>(»,-, »>,-)]. 

)« 
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In  this  way  we  essentially  consider  each  state  at  most  once  and  the  whole  procedure  becomes  linear 
in  \Tp\.  _ 


Let  us  apply  this  procedure  for  checking  validity  of  atty  D  Oatt3  on  the  mutual  exclusion 
program.  We  will  check  the  following  9-states: 

»17  :  (/i,m3,2),  s12  :  (<i,m0,2),  *13  :  (*i,mi,2), 

:  (£l>mOt  1)>  83  "  (*1,™1,1),  »16  :  (^1,^2, 2). 


In  Fig.  4  we  present  Tp(sn,  at t3).  In  decomposing  the  graph  we  find  that  every  component 
consists  of  exactly  one  node  and  a  possible  sorting  order  for  them  is: 

»17,  8 i2i  S|3,  «16,  818,  S 19 »  84,  85,  86,  88,  89. 


The  terminal  components  are  85  and  sg  and  they  both  satisfy  atl3.  For  every  other  com¬ 
ponent  we  easily  identify  a  helpful  process  leading  out  of  the  component.  Thus  Pi  is  helpful  for 
{an,  812,  813,  si6,  84,  s8}  and  P2  is  helpful  for  {si8,  8ig,  86}. 

Note  that  this  diagram  also  took  care  of  812,  S13,  sig.  The  next  (7-state  not  yet  analyzed  is 
8 1 .  We  construct  for  it  Tp[si,<pt)  where  £>2(s)  =  att3  V  a  G  TP(8n,t3). 

The  corresponding  diagram  in  Fig.  5  shows  that  all  computations  starting  at  ss  or  s3  eventually 
must  enter  TP(sn,  at (3).  Consequently  we  conclude  that  atti  D  O  att3  is  valid  for  the  program 
P. 


12.  TESTING  UNLESS  PROPERTIES 


Let  the  formula  to  be  tested  be 

q  3  (ipr  U<pr-i  ■ .  •  <Pi  Utpo). 


Let  8  G  Tp  be  an  accessible  9-state.  Construct  Tp(s,<po)  as  before.  We  propose  the  following 
test  for  checking  that  all  computations  in  Tp(s,<po)  satisfy  w  :  <prU<pr-\  ...<pi  U <po- 

w- Precedence  Test: 

Decompose  7V»(s,  £>o)  into  a  topologically  sorted  list  of  maximal  strongly  connected  com¬ 
ponents:  K\ ,  . . . ,  Kr .  Proceeding  from  Kr  down  to  Ki,  we  try  to  assign  each  component 
K{  a  rank  p,  =  p{Kx)  as  follows: 

Let  pi  be  the  smallest  k  >  0  such  that  all  states  in  Ki  satisfy  ipk  and  that  any  component 
Kj,  directly  connected  to  K,-,  i  >  j,  has  a  lower  or  equal  rank,  i.e.,  k  >  py. 

If  we  fail  to  rank  some  component  Ki  then  the  test  is  said  to  fail,  otherwise  we  say  that 
it  has  succeeded. 
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Lemma  A: 

If  the  w- precedence  test  succeeds,  then  all  computations  in  Tj>(a,<po)  satisfy  w. 


Proof: 


Assume  that  the  test  succeeded.  Let  tp  be  any  computation  in  Tp(a,ipo).  Such  a  computation 

must  progress  through  a  finite  chain  of  components  A,,,  A',,, _ , A,-, ,  with  t’i  <  ij  <  •  •  •  <  it- 

Thus  it  succssivcly  satisfies  <Pp(K.l),<PP{Kia),  ■  •  ■  tPP(Ku)  with  p(Kit)  >  p{Kit)  >  ...  >  p(A,J. 

Obviously  it  satisfies  w. 


Let  Ki  be  any  component.  We  say  that  we  failed  to  assign  Ki  the  rank  j  if  cither  p,  >  j  or 
we  failed  to  rank  A,  altogether.  _ 


Lemma  B: 

If  we  failed  to  assign  A,  the  rank  j  then  for  every  8  £  Ki  there  exists  a  computation  a  = 
a  — >  . . .  (beginning  in  s)  that  docs  not  satisfy 

Wj  =  <Pj  ii  . . .  ipi  U<po. 


Proof: 

We  will  prove  the  lemma  by  double  induction,  first  on  j  =  0, 1,  ...  and  then  for  each  j  on 
i  =  r,r-  1,  . . . ,  1. 

Consider  first  j  =  0.  Let  a  £  Ki  be  any  state  in  Ki.  If  a  satisfies  <po  then  A,  consists  of  a 
alone  and  has  no  successors.  Correspondingly  we  could  have  defined  p(Ki)  =  0.  Since  we  failed 
to  assign  0  to  A,,  a  does  not  satisfy  <pQ.  Consequently  any  computation  beginning  ill  a  falsifies 
w0  —  fo-  This  establishes  the  lemma  for  j  —  0  and  At,  . . . ,  Kr. 

Consider  now  a  j  >  0  and  assume  by  induction  that  the  lemma  has  been  proved  for  j  —  1  and 
A,  and  also  for  j  and  each  of  A,  H ,  . . . ,  Kr.  Let  a  £  Ki. 

There  could  be  two  distinct  reasons  why  we  failed  to  assign  the  rank  j  to  A,. 

•  There  exists  some  state  s’  £  Ki  which  docs  not  satisfy  <pj.  By  the  induction  hypothesis 
there  exists  a  computation  o'  =  s',82,  ...  which  does  not  satisfy  Wj  |.  We  claim  that 
a'  also  does  not  satisfy  toy.  For  a'  to  satisfy  toy  there  must  be  a  (possibly  empty)  prefix  6f 
a'  continuously  satisfying  <pj  followed  by  a  suffix  which  satisfies  Wj  .  t .  Since  s1  falsifies 
ipj,  the  prefix  must  be  empty  and  the  whole  or  o’  must  satisfy  toy-j  which  contradicts 
the  definition  of  a'. 

It  only  remains  to  obtain  a  similar  computation  starting  from  a,  the  arbitrarily  specified 
state  in  A,.  If  by  chance  a  =  a1  then  o'  will  do.  Otherwise,  since  a  and  s1  belong  to  the 
same  strongly  connected  component  there  must  exist  a  path  a  —  «|,  . . . ,  *m  =  s'  within 
Ki  connecting  a  to  a1.  Consider  the  compulation  a  =  a,  ...  ,ax,a2,  . . . ,  i.c.,  the  path 
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from  a  to  a1  followed  by  o'.  Since  no  state  in  K j  satisfies  ipo,  o  can  satisfy  toy  only  if  o' 
docs.  Thus  o  falsifies  toy. 


The  second  case  where  we  fail  to  assign  j  to  Ki  is  that  there  exists  a  Kt  directly  connected 
to  Ki,  i  <  t,  such  that  pi  >  j  or  more  generally  we  failed  to  assign  j  to  Ki.  Thus  there 
exists  »i  E  Ki  and  at  E  Kt  such  that 


s. 


for  some  P*. 


By  strong  connectedness  there  exists  a  (possibly  empty)  path  connecting  a  to  s%  :  a, 
. . .  ,8j.  By  the  induction  hypothesis  since  t  >  t  and  we  failed  to  assign  j  to  Ki  there 
exists  a  computation  ot  :  at,  a2,  ...  which  falsifies  toy.  Consider  now  the  computation 

o',  a,  • .  •  t  8,-,  at,  a2 ,  . . . 


The  computation  o  consists  first  of  the  path  from  a  to  a,  within  Ki,  then  the  edge  from 
a,  to  8/  and  then  follows  ot ■  Since  the  whole  segment  a,  . . .  ,  st  does  not  contain  a  state 
satisfying  <p0,  o  can  satisfy  to  j  only  if  Ot  does,  which  is  impossible.  Thus  o  falsifies  w,  as 
required.  _ 


Let  now  K,  be  a  component  that  was  not  ranked  altogether.  By  the  last  lemma  there  exists 
a  computation  o  —  a,  a2,  a3,  ...  with  a  E  Ki  such  that  o  falsifies 

to,  =  tpT  il  .  .  .  ipi  ihpo. 

We  can  prefix  o  by  a  path  leading  from  ao  to  8  and  obtain  a  computation  <x0  =  *0.  •  •  • ,  a,  . . . 
which  fails  to  saLisfy  to,.  We  may  combine  Lemmas  A  and  B  to  obtain: 


Corollary: 

Given  Tp(a0,  <Po),  all  so-initialized  computations  in  Tp(ao,<po)  satisfy 
to  =  <pr  il  . . .  <p  i  il  <po 
iff  the  lo-preccdcncc  test  succeeded. 


Proof: 

In  order  to  test  the  general  implication  q  D  to  on  the  entire  Tp  diagram  we  proceed  as  follows: 

Let  8tl8a,  . . .  ,8k  be  all  the  q-states  in  Tp.  Construct  7p(si,po)  and  test  <pr  U  .  ..<pi  Li<p0 
on  it.  Construct  Tp(82,ip2)  where  ip2{»)  —  <Po(a)  V  a  E  Tp{a i,Po)- 

Test  <pT  il  . . .  ilv?o  01>  Tp{ai,il> 3).  In  ranking  the  components  we  add  the  following  rule: 

If  Ki  is  a  terminal  component  consisting  of  the  single  node  a  €  Tp(a\,ipo),  give  Ki  the  rank 
that  8  (or  the  component  containing  s)  has  received  in  Tp(ai,(po). 

In  general  we  construct  T/»(«»,  "0*)  where 

M*)  =  !Po(8)v[se  \jTp(aj,rl>j))  (V»i  =  V?o)- 

)<• 


29 


Wc  then  test  <pr  il  . . .  ilpo  on  7p(*,,  ranking  any  component  consisting  of  a  €  7/>(»;,  V'y)  f°r 
some  j  <  t  according  to  the  rank  it  received  earlier.  v 

Consequently  the  testing  procedure  is  again  linear  in  the  size  of  Tp.  To  be  precise,  of  com¬ 
plexity  r  •  m  ■  \Tp\.  j 

To  illustrate  the  procedure  let  us  test  the  validity  of  the  following  unless  property: 

« 

to  D  (^o  il~rn3  ilm3  ii~m3  11^3). 

This  property  again  expresses  a  certain  kind  of  2-bounded  overtaking.  However  the  reference  point 
is  when  P\  is  at  It  states  that  from  the  time  Pi  decides  to  leave  to,  Pi  may  enter  m3  at  most 
twice  before  P\  enters  £3.  Furthermore,  actual  2-overtaking  can  take  place  only  if  Pi  on  exiting 
to  finds  P2  in  m 3  at  precisely  the  same  moment.  If  on  exiting  to,  Pi  find  Pj  anywhere  else  then 
at  most  1-overtaking  can  take  place.  In  contrast  with  other  unless  properties  considered  before  in 
this  paper,  this  property  is  not  an  until  property.  The  corresponding  until  property  does  not  hold 
since  when  Pi  is  at  to  it  is  quite  acceptable  that  it  never  gets  out  to  achieve  1 3. 

We  define 


q  =  p 5  :  att0 

Pi  =  Pi  ■  at  m3 
Pi  —  Pi  :  ~  atm3 
Po  =  att3 

Accessible  ^-states  in  Tp  are: 

*15:  (to, m3, 2),  «io  :  (4), mo, 2),  «u  :  (to, mi, 2), 

®M  •  (to,m2, 2),  so=  (4). "»o.  0>  *2:  (fo.^i.l). 

In  Fig.  6  wc  have  7/>(*i5,  po).  Its  component  decomposition  gives  the  following  topologically 
sorted  list  of  components: 

K\  —  {*15.  *io.  *ii,*w},  {*17}.  {*12}.  {*13}.  {*is},  {'is},  {*i»},  { «-» } ,  {*5}.  {*e}.  {*8},  {»«}• 

Going  backwards  we  assign  the  following  ranks: 

pi  =  0  for  i  e  {5, 9} 

Pi  =  1  for  »'  €  {8,6,4} 
pi  —  2  for  i  =  19 
Pi=  3  for  t€  {18,18, 13,12} 
pi  —  4  for  i  =  17 
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p(Ki)  =  5 


This  shows  that  the  desired  unless  property  actually  holds  for  the  ^-states  *i5,*io>*u>*M- 

Next  let  us  consider  7V(so,  (y?o(®)  V  s  €  Tpfais,  £>o)l).  It  is  given  in  Fig.  7.  All  the  terminal 
nodes  belong  to  the  previous  diagram  and  their  ranks  have  been  listed.  We  may  proceed  to  rank 
the  unranked  states  in  Tp(sotV'a)- 

We  define 

Pi  —  3  fort  €{1,3}, 

and 

Pi  —  5  for  i  €  {0, 2}. 

Thus,  all  ^-states  have  been  successfully  ranked,  and  the  unless  property: 

lo  3  (/o  it  m3  it  ~wt3  ii  m3  ii  ~mj  ii  £3). 

has  been  established.  We  obviously  cannot  do  better  since  the  computation: 

*15  *17  *12  — *  *13  *1S  — ‘  *18  “♦  *1#  -*  *4  -*  *5 

demonstrates  2-ovcrtaking. 
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Fig.  J.  Joint  Transition  Diagram  for  the  Mutual  Exclusion  Program. 


Pig.  6. 
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